Author Topic: Track attackers on Cubieboard with kippo honeypot  (Read 6360 times)

Offline mihi

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Track attackers on Cubieboard with kippo honeypot
« on: May 27, 2015, 02:20:53 pm »
A honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems (taken from wiki). The tool I used is called kippo.

I have installed kippo on my 24/7 cubieboard2 with Lubuntu and now I'm tracking all attempts to log in to ssh from Internet. Since I wanted to protect my cubieboard resources I created a disk space in memory so all the logs are stored there.

The step by step instructions are posted here: http://homecircuits.eu/blog/kippo-honeypot-on-cubieboard-ubuntu/

After one night my cubieboard logged several attempts to log in with e.g. these username/passwords:
  • root/wubao
  • root/jiamima
  • root/admin

Some interesting kippo features:
  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
    Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc
more info on kippo: https://github.com/desaster/kippo
honeypot wiki: http://en.wikipedia.org/wiki/Honeypot_%28computing%29

mihi
« Last Edit: July 10, 2015, 06:52:24 pm by mihi »

Offline mihi

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Track attackers on Cubieboard with kippo honeypot
« Reply #1 on: June 01, 2015, 05:09:39 pm »
After some days, the log is slowly filling up
Code: [Select]
cat kippo.log | grep "login attempt"
Code: [Select]
2015-05-27 05:59:08+0200 218.65.30.92 root/wubao failed
2015-05-27 05:59:11+0200 218.65.30.92 root/jiamima failed
2015-05-27 05:59:13+0200 218.65.30.92 root/wubao failed
2015-05-27 05:59:18+0200 218.65.30.92 root/jiamima failed
2015-05-27 05:59:19+0200 218.65.30.92 root/wubao failed
2015-05-27 05:59:21+0200 218.65.30.92 root/jiamima failed
2015-05-27 05:59:31+0200 218.65.30.92 root/wubao failed
2015-05-27 05:59:33+0200 218.65.30.92 root/jiamima failed
2015-05-27 05:59:34+0200 218.65.30.92 root/wubao failed
2015-05-27 07:33:37+0200 113.195.145.12 root/wubao failed
2015-05-27 07:33:38+0200 113.195.145.12 root/jiamima failed
2015-05-27 07:33:39+0200 113.195.145.12 root/wubao failed
2015-05-27 07:33:44+0200 113.195.145.12 root/jiamima failed
2015-05-27 07:33:45+0200 113.195.145.12 root/wubao failed
2015-05-27 07:33:46+0200 113.195.145.12 root/jiamima failed
2015-05-27 07:33:50+0200 113.195.145.12 root/wubao failed
2015-05-27 07:33:52+0200 113.195.145.12 root/jiamima failed
2015-05-27 07:33:53+0200 113.195.145.12 root/wubao failed
2015-05-27 07:33:57+0200 113.195.145.12 root/jiamima failed
2015-05-28 14:09:50+0200 112.4.10.18 fluffy/fluffy failed
2015-05-28 17:11:29+0200 112.4.10.18 admin/admin failed
2015-05-28 23:38:01+0200 112.4.10.18 guest/guest failed
2015-05-29 02:39:36+0200 112.4.10.18 webmaster/webmaster failed
2015-05-29 05:35:09+0200 112.4.10.18 mysql/mysql failed
2015-05-29 08:32:55+0200 112.4.10.18 oracle/oracle failed
2015-05-29 11:31:57+0200 112.4.10.18 library/library failed
2015-05-29 14:35:11+0200 112.4.10.18 info/info failed
2015-05-29 17:45:58+0200 112.4.10.18 shell/shell failed
2015-05-29 20:48:20+0200 112.4.10.18 linux/linux failed
2015-05-29 23:48:33+0200 112.4.10.18 unix/unix failed
2015-05-30 02:49:41+0200 112.4.10.18 webadmin/webadmin failed
2015-05-30 05:47:33+0200 112.4.10.18 ftp/ftp failed
2015-05-30 08:55:39+0200 112.4.10.18 test/test123 failed
2015-05-30 12:01:28+0200 112.4.10.18 root/root123 failed
2015-05-30 15:06:12+0200 112.4.10.18 admin/admin123 failed
2015-05-30 16:55:21+0200 119.40.117.182 root/NUIBUNA_PAROLA_123 failed
2015-05-30 16:55:22+0200 119.40.117.182 root/q1w2e3r4 failed
2015-05-30 16:55:23+0200 119.40.117.182 root/okmnji failed
2015-05-30 18:05:32+0200 119.40.117.182 root/1qaz2wsx failed
2015-05-30 18:05:34+0200 119.40.117.182 root/lover failed
2015-05-30 18:05:35+0200 119.40.117.182 root/root2010 failed
2015-05-30 18:10:16+0200 112.4.10.18 guest/guest123 failed
2015-05-30 19:34:59+0200 119.40.117.182 root/redhat1 failed
2015-05-30 19:35:01+0200 119.40.117.182 root/albert failed
2015-05-30 20:36:10+0200 138.97.150.46 root/cisco failed
2015-05-30 20:36:18+0200 138.97.150.46 ubnt/ubnt failed
2015-05-30 20:36:26+0200 138.97.150.46 admin/admin failed
2015-05-30 20:36:33+0200 138.97.150.46 support/support failed
2015-05-30 20:36:40+0200 138.97.150.46 admin/1234 failed
2015-05-30 20:36:50+0200 138.97.150.46 root/root failed
2015-05-30 21:17:50+0200 112.4.10.18 master/master failed
2015-05-30 21:22:09+0200 119.40.117.182 sales/sales failed
2015-05-31 00:18:54+0200 112.4.10.18 apache/apache failed
2015-05-31 03:31:33+0200 112.4.10.18 root/com failed
2015-05-31 03:31:35+0200 112.4.10.18 root/id failed
2015-05-31 07:01:32+0200 112.4.10.18 network/network failed
2015-05-31 10:04:04+0200 112.4.10.18 word/word failed
2015-05-31 13:29:46+0200 112.4.10.18 root/r00t failed
2015-05-31 13:29:48+0200 112.4.10.18 root/1234567 failed
2015-05-31 13:29:49+0200 112.4.10.18 root/12345678910 failed
2015-05-31 17:59:48+0200 112.4.10.18 root/12345679 failed
2015-05-31 17:59:49+0200 112.4.10.18 root/0727 failed
2015-05-31 17:59:51+0200 112.4.10.18 root/apache failed
2015-05-31 21:52:19+0200 159.122.93.164 admin/jeha#@d failed
2015-05-31 22:23:07+0200 112.4.10.18 root/administrator failed
2015-05-31 22:23:08+0200 112.4.10.18 root/webadmin failed
2015-05-31 22:23:09+0200 112.4.10.18 root/admin succeeded
2015-06-01 02:45:47+0200 112.4.10.18 root/shell failed
2015-06-01 02:45:49+0200 112.4.10.18 root/linux failed
2015-06-01 02:45:50+0200 112.4.10.18 root/test failed
2015-06-01 06:51:44+0200 112.4.10.18 root/webmaster failed
2015-06-01 06:51:45+0200 112.4.10.18 root/mysql failed
2015-06-01 10:44:06+0200 112.4.10.18 admin/root failed
2015-06-01 10:44:08+0200 112.4.10.18 admin/administrator failed
2015-06-01 10:44:09+0200 112.4.10.18 admin/12345 failed
2015-06-01 13:00:42+0200 159.122.93.164 CISCO/CISCO failed
2015-06-01 13:00:44+0200 159.122.93.164 CISCO/cisco failed
2015-06-01 13:00:46+0200 159.122.93.164 CISCO/ADMIN failed
2015-06-01 13:00:48+0200 159.122.93.164 CISCO/PASS failed
2015-06-01 13:00:50+0200 159.122.93.164 CISCO/TEST failed
2015-06-01 13:00:52+0200 159.122.93.164 CISCO/server failed
2015-06-01 13:00:54+0200 159.122.93.164 server/server failed
2015-06-01 13:00:56+0200 159.122.93.164 CISCO/gateway failed
2015-06-01 13:00:58+0200 159.122.93.164 CISCO/server failed
2015-06-01 13:01:00+0200 159.122.93.164 CISCO/IOS failed
2015-06-01 13:01:02+0200 159.122.93.164 CISCO/123 failed
2015-06-01 13:01:04+0200 159.122.93.164 CISCO/1234 failed
2015-06-01 13:01:06+0200 159.122.93.164 CISCO/12345 failed
2015-06-01 13:01:08+0200 159.122.93.164 CISCO/ROOT failed
2015-06-01 13:01:10+0200 159.122.93.164 CSICO/NAN failed
2015-06-01 13:01:12+0200 159.122.93.164 CISCO/LOL failed
2015-06-01 13:01:14+0200 159.122.93.164 CISCO/CISCO12 failed
2015-06-01 13:01:16+0200 159.122.93.164 CISCO/CISCO123 failed
2015-06-01 13:01:18+0200 159.122.93.164 CISCO/CISCO11 failed
2015-06-01 13:01:20+0200 159.122.93.164 cisco/cisco failed
2015-06-01 13:01:22+0200 159.122.93.164 cisco/ciscoc failed
2015-06-01 13:01:24+0200 159.122.93.164 cisco/admin failed
2015-06-01 13:01:26+0200 159.122.93.164 cisco/cisco123 failed
2015-06-01 13:01:28+0200 159.122.93.164 cisco/cisco12 failed
2015-06-01 13:01:30+0200 159.122.93.164 cisco/cisco failed
2015-06-01 13:01:32+0200 159.122.93.164 cisco/admin failed
2015-06-01 13:01:34+0200 159.122.93.164 cisco/admin123 failed
2015-06-01 13:01:36+0200 159.122.93.164 cisco/root failed
2015-06-01 13:01:38+0200 159.122.93.164 cisco/server failed
2015-06-01 13:01:40+0200 159.122.93.164 cisco/gateway failed
2015-06-01 13:01:42+0200 159.122.93.164 cisco/IOS failed
2015-06-01 13:01:44+0200 159.122.93.164 cisco/test failed
2015-06-01 13:01:46+0200 159.122.93.164 cisco/pass failed
2015-06-01 13:01:48+0200 159.122.93.164 cisco/password failed
2015-06-01 13:01:50+0200 159.122.93.164 cisco/secret failed
2015-06-01 13:01:52+0200 159.122.93.164 cisco/CISCO failed
2015-06-01 13:01:54+0200 159.122.93.164 cisco/Cisco failed
2015-06-01 13:01:56+0200 159.122.93.164 cisco/Ccisco failed
2015-06-01 13:01:58+0200 159.122.93.164 cisco/lol failed
2015-06-01 13:02:00+0200 159.122.93.164 cisco/Router failed
2015-06-01 13:02:02+0200 159.122.93.164 cisco/router failed
2015-06-01 13:02:04+0200 159.122.93.164 cisco/voip failed
2015-06-01 13:02:06+0200 159.122.93.164 cisco/_Cisco failed
2015-06-01 13:02:08+0200 159.122.93.164 cisco/mysecret failed
2015-06-01 13:02:10+0200 159.122.93.164 cisco/passworm failed
2015-06-01 13:02:12+0200 159.122.93.164 cisco/default failed
2015-06-01 13:02:14+0200 159.122.93.164 user/user failed
2015-06-01 13:02:16+0200 159.122.93.164 cisco/phone failed
2015-06-01 13:02:18+0200 159.122.93.164 cisco/myphone failed
2015-06-01 13:02:20+0200 159.122.93.164 CSICI/CCC failed
2015-06-01 13:02:22+0200 159.122.93.164 cisco/ccc failed
2015-06-01 13:02:24+0200 159.122.93.164 sip/sip failed
2015-06-01 13:02:26+0200 159.122.93.164 cisco/SIPGateway failed
2015-06-01 13:02:28+0200 159.122.93.164 cisco/sipg failed
2015-06-01 13:02:30+0200 159.122.93.164 voip/voip failed
2015-06-01 13:02:32+0200 159.122.93.164 cisco/coll failed
2015-06-01 13:02:34+0200 159.122.93.164 admin/admin failed
2015-06-01 13:02:36+0200 159.122.93.164 admin/password failed
2015-06-01 13:02:38+0200 159.122.93.164 admin/pass failed
2015-06-01 13:02:40+0200 159.122.93.164 admin/phone failed
2015-06-01 13:02:42+0200 159.122.93.164 cisco/access failed
2015-06-01 13:02:44+0200 159.122.93.164 cisco/MServer failed
2015-06-01 13:02:46+0200 159.122.93.164 admin/MServer failed
2015-06-01 13:02:48+0200 159.122.93.164 admin/cisco failed
2015-06-01 13:02:50+0200 159.122.93.164 admin/cisco123 failed
2015-06-01 13:02:52+0200 159.122.93.164 admin/root failed
2015-06-01 13:02:54+0200 159.122.93.164 admin/public failed
2015-06-01 13:02:56+0200 159.122.93.164 cisco/public failed
2015-06-01 13:02:58+0200 159.122.93.164 root/rootpasswd failed
2015-06-01 13:03:00+0200 159.122.93.164 root/1234 failed
2015-06-01 13:03:02+0200 159.122.93.164 root/12345 failed
2015-06-01 13:03:04+0200 159.122.93.164 root/123456 succeeded
2015-06-01 14:43:20+0200 112.4.10.18 admin/123456 failed
2015-06-01 17:56:53+0200 112.4.10.18 root/123456 succeeded
2015-06-01 21:20:06+0200 218.87.111.109 root/wubao failed
2015-06-01 21:38:21+0200 112.4.10.18 test/test12345 failed
2015-06-01 21:38:23+0200 112.4.10.18 test/123456 failed


These are the unique IP addresses behind that connection tries:
Code: [Select]
218.65.30.92 China Shanghai
113.195.145.12 China Nanchang
112.4.10.18 China unknown
119.40.117.182 Malaysia Selangor
138.97.150.46 Brazil unknown
159.122.93.164 Germany Frankfurt
218.87.111.109 China Nanchang

mihi

Offline lawrence

  • Administrator
  • Sr. Member
  • *****
  • Posts: 301
  • Karma: +15/-0
    • View Profile
Re: Track attackers on Cubieboard with kippo honeypot
« Reply #2 on: June 02, 2015, 09:32:12 am »
Most attacks I've seen are usually to drop email programs or botnet control.
China is the source of a lot of attacks, but not necessarily the origin.

Lots of botnet/hacked computers in China that get misused by others.
Unless you have an interest in that its ultimately a bit pointless running a honeypot.

SSH attacks are easily mitigated against, and unless you are building an ip based blocklist, or interested in how attackers work, not much use.

This does point to actual Chinese based attacker though, the wubao, jiamima are indicative of that.
jia mi ma is likely 加密码 (add password in Chinese - or a default password for something)

Most of the attacks I see on my own server(s) are Ukranian or US based.  I occasionally email the culprits abuse or contact addresses and get replies, but not very often.

I did have one pseudo success story where someone wrote me to tell me to remove a post on my blog where I'd  annotated attack logs as I was one of the first results for a search for their company. 
They weren't successful though, as they "demanded" we remove them, instead of asking nicely. 


Offline Jojo

  • Developer
  • Full Member
  • ***
  • Posts: 190
  • Karma: +13/-0
  • Cubieboard 2 - A20, aRUNTU v1.666
    • View Profile
Re: Track attackers on Cubieboard with kippo honeypot
« Reply #3 on: June 03, 2015, 09:47:45 am »
Hi,

Lots of botnet/hacked computers in China that get misused by others.
Unless you have an interest in that its ultimately a bit pointless running a honeypot.

SSH attacks are easily mitigated against, and unless you are building an ip based blocklist, or interested in how attackers work, not much use.
I don't agree completely. I think for people who just start with all these things like SSH, port forwarding, etc. or just don't have a very deep knowledge about that, it is quite interesting to see, if they are potential victims and/or if their security measures are effective.
For me, it is :) . But I am confused, that my logs are empty of failed logins. Either the attackers just don't fail or my security is sufficient ::) .

Quote
Most of the attacks I see on my own server(s) are Ukranian or US based.  I occasionally email the culprits abuse or contact addresses and get replies, but not very often.

I did have one pseudo success story where someone wrote me to tell me to remove a post on my blog where I'd  annotated attack logs as I was one of the first results for a search for their company. 
They weren't successful though, as they "demanded" we remove them, instead of asking nicely.

How do you know the eMail address or even the company of an attacker?! This is very interesting!

Greetings
Don't think that anyone will take more pains for his answer, as you took for your question.

Offline lawrence

  • Administrator
  • Sr. Member
  • *****
  • Posts: 301
  • Karma: +15/-0
    • View Profile
Re: Track attackers on Cubieboard with kippo honeypot
« Reply #4 on: June 06, 2015, 01:36:57 pm »
whois ABUSE_IP_ADDRESS

Look at the abuse email, and contact them to let them know that an ip in that range is causing mischief.
Usually as its a hacked box and being used to hack others.
Especially so for fixed ip addresses.




Offline Jojo

  • Developer
  • Full Member
  • ***
  • Posts: 190
  • Karma: +13/-0
  • Cubieboard 2 - A20, aRUNTU v1.666
    • View Profile
Re: Track attackers on Cubieboard with kippo honeypot
« Reply #5 on: June 07, 2015, 06:49:39 am »
whois ABUSE_IP_ADDRESS

Look at the abuse email, and contact them to let them know that an ip in that range is causing mischief.
Usually as its a hacked box and being used to hack others.
Especially so for fixed ip addresses.

Amazing! Thanks a lot, I did not know about that at all  ::) . This is quite informative. I just tried it with my own IP address and got useable results. Maybe I write a script that automatically sends eMails to the "abuse@" email address just in case.

Thanks again!
Don't think that anyone will take more pains for his answer, as you took for your question.